Update: Cloudflare Global Network Outage Disrupts Major Online Services
Cloudflare previously reported a major outage on November 18 that disrupted core CDN, security, and authentication services across its Global Network, and new findings now clarify that the disruption stemmed from an internal database permissions change rather than malicious activity. According to Cloudflare’s post-incident analysis, a ClickHouse permissions update caused duplicate metadata to be returned during feature generation for the Bot Management system. This resulted in a feature configuration file that exceeded a hardcoded size limit, triggering crashes in the proxy layer responsible for routing global traffic. Because the faulty file regenerated every five minutes, depending on which database nodes had been updated, the network repeatedly oscillated between recovery and failure as good and bad versions propagated. Cloudflare engineers initially suspected a large-scale attack due to the erratic behavior, but eventually traced the root cause to a malformed internal configuration. By 14:30 UTC, the company rolled out a known good feature file and restored stability across its infrastructure. Additional reporting shows that the outage cascaded across multiple Cloudflare services, including Turnstile, Workers KV, Access authentication, and dashboard login flows, due to their reliance on the core proxy layer. The oversized feature file caused the bots module in both the legacy FL and the newer FL2 proxy engines to fail, producing widespread HTTP 5xx errors and forcing some services to bypass the proxy entirely. The event was further complicated by increased CPU load from Cloudflare’s observability systems, which added latency as systems attempted to recover. Full remediation required stopping automated configuration propagation, rolling back database behavior, and restarting downstream services that entered degraded states. The updated post-mortem underscores how a single invalid configuration file inside a large edge network can rapidly cascade into a multi-hour global outage affecting thousands of dependent services.
ShinyHunters Unveil “ShinySp1d3r,” a New Ransomware-as-a-Service Built From Scratch
Researchers have identified an early development build of ShinySp1d3r, a new ransomware-as-a-service (RaaS) platform created by threat actors linked to ShinyHunters, Scattered Spider, and Lapsus$. Historically known for leveraging third-party encryptors, including ALPHV/BlackCat, Qilin, and RansomHub, these groups are now shifting toward full operational independence by building their own ransomware ecosystem from the ground up. The Windows encryptor exhibits an unusually broad capability set, including ETW suppression, shadow copy deletion, memory-wiping anti-forensics, free-space overwriting, and automated process termination to ensure reliable encryption. Investigators also observed multiple lateral-movement deployment mechanisms and a unique per-file extension generation method tied to an internal formula. Encrypted files contain custom headers marked SPDR…ENDS, storing metadata and RSA-protected ChaCha20 keys, while ransom notes and a placeholder leak-site URL are deployed across the host alongside a forced wallpaper change. ShinyHunters claims that the operation will launch under the unified “Scattered LAPSUS$ Hunters (SLH)” brand, signaling a formal collaboration between major data-extortion crews. The group also states that Linux, ESXi, and a high-speed pure-assembly “lightning version” are in active development, indicating a roadmap toward full cross-platform enterprise targeting. While operators assert that healthcare and CIS-region organizations are off-limits, similar promises in prior RaaS programs have routinely collapsed under affiliate behavior. Given the toolset’s maturity—even in debug form—analysts assess that ShinySp1d3r is positioned to become a capable, multi-vector ransomware operation with strong anti-analysis defenses and aggressive disruption potential once fully released. Defenders should closely monitor emerging SLH infrastructure, enforce strict lateral-movement controls, and harden logging and ETW integrity protections to mitigate early exploitation attempts.
npm Malware Campaign Uses Advanced Cloaking to Filter Victims and Evade Researchers
Researchers have uncovered a sophisticated supply chain attack in the npm ecosystem in which a threat actor known as dino_reborn published seven malicious packages that selectively deliver harmful content while hiding their behavior from analysts. The campaign uses Adspect, a commercial traffic-cloaking platform, to fingerprint visitors at runtime and determine whether they resemble typical end users or security researchers. When victims load the malicious webpage generated by these packages, the JavaScript payload profiles thirteen behavioral and environmental indicators and, if the visitor passes the check, displays a fake cryptocurrency-themed CAPTCHA that redirects them to scam sites. If the malware detects analysis tools, DevTools, automation, or suspicious traffic traits, it responds with an innocuous blank page to obscure the entire attack chain. Socket.dev researchers linked all seven packages, including signals-embed and integrator-filescrypt2025, to a single actor using a Proton Mail address and shared infrastructure. The campaign’s novelty lies in embedding cloaking logic directly within npm packages, enabling precision targeting while evading automated scanners and manual investigation. The payload also uses aggressive browser defenses, blocking right-click menus, disabling F12 and Ctrl-Shift-I, and reloading pages when DevTools are detected, preventing researchers from debugging the malicious logic. Adspect’s server-side decision engine lets the actor rotate malicious redirect URLs dynamically without modifying any package, ensuring persistence even after takedowns. This activity reflects an ongoing shift toward stealthy, behavior-aware supply chain attacks that mix commercial cloaking services, advanced fingerprinting, and deceptive UX flows to maximize infection success. Defenders should tighten dependency auditing, monitor for runtime fingerprinting scripts, and flag newly introduced obfuscated JavaScript in npm-sourced components.
China-Linked “PlushDaemon” Expands Global Supply-Chain Intrusions via Malicious Update Hijacking
Researchers have uncovered an expanded cyberespionage campaign by PlushDaemon, a China-aligned threat actor active since at least 2018 and known for targeting manufacturers, universities, and critical organizations across the U.S., East Asia, and Oceania. The group has shifted aggressively toward software-update hijacking, using a newly identified router implant called EdgeStepper to intercept DNS requests and silently redirect update traffic to attacker-controlled servers. Once positioned in the network, EdgeStepper funnels victims into a staged Windows malware chain that begins with LittleDaemon, a downloader masquerading as a legitimate DLL, followed by an in-memory loader dubbed DaemonicLogistics, and ultimately delivers the group’s long-running backdoor, SlowStepper. This backdoor enables extensive system reconnaissance, file manipulation, command execution, and Python-based credential and data theft, reflecting tooling previously used in attacks on South Korean VPN software. PlushDaemon’s operations demonstrate highly scalable adversary-in-the-middle capabilities, allowing the group to compromise targets worldwide by manipulating update channels for widely used applications, including China’s popular Sogou Pinyin input method. The campaign leverages routers compromised through weak passwords and known vulnerabilities, enabling long-term footholds that bypass traditional endpoint defenses. ESET telemetry shows this tactic has been active since 2019 and continues to expand across diverse industries, combining supply-chain manipulation with custom malware families written in Golang and Python. With the implant capable of hijacking arbitrary update domains, defenders should harden router configurations, enforce DNS integrity protections, and validate software update sources using strict cryptographic verification to mitigate these globally scalable supply-chain attacks.
